[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Subject: Re: [wss] Comments on WSS-Core-01
I find the existing sentence confusing. 733 When an XML Signature is used in conjunction with the <wsse:SecurityTokenReference> 734 element, the security token of a message signer may be correlated and a mapping made 735 between the claims of the security token and the message as evaluated by the application. If the following accuartely represents what is meant, I recommend that we use it, or perhaps something derived form it/ The validation of an XML signature that uses a SecurityTokenReference to identify the key used to create the signature, justifies the application (by the relying party/receiver) of any other claims made within the referenced token (most notably the identity bound to the key) to the signature author (that is, if the relying party trusts the authority responsible for the claims in the referenced token). Ron Anthony Nadalin wrote: > > >OK, while I understand what is being said here, I still think that the >present wording explains this, so is there some proposed wording that folks >prefer ? > >Anthony Nadalin | work 512.436.9568 | cell 512.289.4122 > > >|---------+----------------------------> >| | "Mishra, Prateek"| >| | <pmishra@netegrit| >| | y.com> | >| | | >| | 10/02/2002 10:43 | >| | AM | >|---------+----------------------------> > >----------------------------------------------------------------------------------------------------------------------------------------------| > | | > | To: "'Hal Lockhart'" <hal.lockhart@entegrity.com>, "Mishra, Prateek" <pmishra@netegrity.com>, wss@lists.oasis-open.org | > | cc: | > | Subject: RE: [wss] Comments on WSS-Core-01 | > | | > | | > >----------------------------------------------------------------------------------------------------------------------------------------------| > > > > >[Prateek Mishra] > >Hal, > >thanks for your clarification which appear quite reasonable to me. However, >notice that the >original text refers only to <wsse:SecurityTokenReference> elements >combined with signatures. >Your clarification explains the more general case of combining tokens of >one sort or the other with >signatures in the <wss:Security> header. We should either generalize lines >733-735 or explain why combining <wsse:SecurityTokenReference> >with signatures has some additional special meaning. > > > > (4) lines 733 - 735: I could not follow the point made here at all. > > > To make this easier to follow, the lines in question are: > > > ---- > 733 When an XML Signature is used in conjunction with the > <wsse:SecurityTokenReference> > 734 element, the security token of a message signer may be correlated and > a mapping made > 735 between the claims of the security token and the message as evaluated > by the application. > ---- > > > I believe the intention is that if the application receiving the message > trusts the the token, it is allowed to associate the claims in the token > with the party that originated the signed message. However, the specific > semantics applied depend implicitly on both the nature of the claims and > the specific application (and hence the contents of the message). They are > not explicitly indicated by the contents of the security header. > > > Common cases would be: > > > 1. The message is some type of request and the claims describe the party > making the request. > > > 2. The information in the message is asserted to be correct by the party > described by the claims. > > > 3. The party described by the claims agrees to the contractual terms > represented in the message. > > > 4. The claims describe the policy for any use or distribution of the > information in the message. > > > However, these are surely not exhaustive. > > > Hal > > > > >---------------------------------------------------------------- >To subscribe or unsubscribe from this elist use the subscription >manager: <http://lists.oasis-open.org/ob/adm.pl> > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [Elist Home]
Powered by eList eXpress LLC